Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

More data from the survey, including data on career paths (a new
feature this year) and factors affecting job satisfaction are at the
end of this Newsbites.

SANS salary survey is continuing through the summer.
You may get detailed data from the survey by filling it out at
http://rr.sans.org/survey In the process, you will also get access
to the 2,000 unique security research papers in the SANS Reading Room.
In a separate salary survey, reported in the second story below, SANS
GIAC and CISSP certifications accounted for the largest "certification
premium pay," ranging up to more than 10%.

THE REST OF THE WEEK'S NEWS

28 & 30 June 2002 Media Player Patch EULA Harbors a Surprise

According to the End User License Agreement (EULA), when you install Microsoft's patch for Media Player vulnerabilities, you grant Microsoft the right to force automatic updates on your system. -http://bsdvault.net/article.php?sid=527&mode=&order=0-http://www.theregister.co.uk/content/55/25956.html[Editor's Note (Murray): Without getting into the debate over how much copyright owners should be able to cripple our systems to enforce their rights, few businesses would want to authorize "automatic updates" that might limit their use of their systems. Fewer still rely on Windows Media Player. However, most end users understand that AOL automatically updates their systems at its discretion. ]

28 June 2002 GameSpy Installer Infected with Nimda

GameSpy Arcade Installer 1.09 was infected with the Nimda virus for several hours last week. An estimated 3,100 infected files were downloaded, and the company is contacting all who might have downloaded the affected software. The installer has been replaced with a clean version. In a separate incident, kaZaA users were exposed to the Backdoor.K0wbot1.3.B virus that contains a "remote backdoor component." -http://www.theregister.co.uk/content/56/25945.html-http://www.msnbc.com/news/773650.asp?0dm=T227T

26 June & 1 July 2002 Yaha.E Worm Targets Pakistani Government Site

The Yaha.E worm carries a payload that lobs a slow denial-of-service attack against www.pak.gov.pk, the official website of the Pakistani government. According to some analysis, the worm also tries to disable anti-virus and firewall software. In addition, Hotmail's anti-virus scanner apparently did not detect Yaha.E as of June 26, allowing members to both receive and send the worm. Yaha.E also drops a text file on infected computers that claims the worm is the work of sNAkeeYes,c0Bra. -http://online.securityfocus.com/news/501-http://theregus.com/content/56/25389.html-http://www.vnunet.com/News/1133119

Congressman Howard Berman (D-Calif.) has proposed legislation that would allow record companies to launch cyber attacks on peer-to-peer content sharing networks that violate copyright laws. Permitted defenses would include interdiction, redirection and spoofing, but the law does not allow damage to computers or the spread of viruses. The legislation would provide for penalties for those who abuse their power. -http://news.bbc.co.uk/hi/english/sci/tech/newsid_2069000/2069747.stm-http://news.com.com/2100-1023-939333.html-http://www.theregister.co.uk/content/6/25903.html Press release: -http://www.house.gov/berman/pr062502.htm[Editor's Note (Schultz) I've lamented the lack of relevant computer crime legislation in the past, but this proposed bill is not at all what we need. Giving companies the right to launch attacks against the networks of organizations that engage in peer-to-peer sharing is extremely inappropriate. It is like giving a victim of home theft the right to break into the thief's home. What Congressman Berman is doing is promoting vigilanteeism instead of helping to promote law and order. Hopefully, this legislation will fail. ]

26 June 2002 Site Will Tell You if Your Credit Card Number has Been Stolen

CardCops has created a web site, -http://www.Cardcops.com, where people can enter their credit card numbers to find out if they have been stolen. The group garnered the credit card information from various chat rooms dedicated to credit card fraud, and they have turned their database over to the Secret Service. Cardcops says they have secured the database and they do not have people enter their cards' expiration dates. -http://www.cnn.com/2002/TECH/internet/06/26/identity.theft.ap/index.html

26 June 2002 BestBuy Files Suit Against Spammers

Hackers managed to steal a BestBuy.com e-mail list and used it to send spam with adult content. Best Buy Concepts, Inc. has filed suit in U.S. District Court against the as yet unknown defendants, referred to as John and Jane Doe, seeking damages greater than $75,000. -http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8399

25 June 2002 Broadband Modem Password Problems

Many broadband modems are installed with default passwords, leaving them susceptible to hackers and spammers, and the directions for changing the passwords are not always clear or easy. In addition, hackers can access broadband modems even when computers are turned off. A New Zealand programmer who found his modem was compromised wrote a program that looked for vulnerable connections and sent warning messages when they were found. He was threatened with possible legal action. -http://www.nzherald.co.nz/storydisplay.cfm?storyclass=2048412[Editor's Note(Grefer): One more reason to place a NATing (netork address translating) router directly behind the broadband modem. ]

25 June 2002 NIPC, NIST and SBA to Offer Vulnerability Seminars for Small Businesses

24 June 2002 Mitnick Testifies at Las Vegas Call Diversion Hearing

Some purveyors of adult entertainment in Las Vegas, NV have complained that calls to their businesses are being diverted, and Sprint denies the allegation, maintaining their systems have never been compromised. Kevin Mitnick testified at a hearing that he had once gained control of Sprint's switching systems in that city. -http://online.securityfocus.com/news/497

24 June 2002 Microsoft Will Release Some Palladium Source Code

Microsoft will release the source code to the secure processing environment of Palladium. They hope that releasing the code will boost trust in the project. The group product manager for the Palladium project says releasing the code enhances its security. The statement is an apparent about face from the company's previous stance on open source code -http://news.com.com/2100-1001-938973.html[Editor's Note (Schultz): Some proprietary software is secure, some is insecure. The same applies to open software. The quality of the development process is the critical value. At any rate, Microsoft deserves credit for trying something new, releasing Palladium as open software, which is quite a bold experiment. ]

The Transportation Security Administration (TSA) will not endorse the "trusted traveler" project, which would use biometric technology and smart cards to allow prescreened passengers a faster route though airport security, because they believe the system could be vulnerable to terrorist infiltration. The White House Office of Homeland Security has shown interest in the project. It is unclear when testing would begin. Civil liberties activists are opposed to the idea. -http://www.washingtonpost.com/wp-dyn/articles/A25989-2002Jun21.html==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites
Additional data from the 2002 SANS Security/Sysadmin Salary Survey
- -Top paying industries: consulting, system integration, aerospace,
banking, computer and network manufacturing, and telecom.
- -Lowest paying industries: education, other not-for-profits, and
government agencies.
- -Employers with more than 10,000 employees paid their security and
system administration staff nearly 10% more, on average, than did
smaller employers.
- -Security and system administrators who work with UNIX reported
salaries nearly 25% higher than those who work primarily with
Windows systems.
Career Paths in Information Security
For the first time this year, SANS has tabulated information about
career paths by asking what positions people held three years ago.
Since most people are in the same position (at higher levels) the data
is sparse. Still it provides a fascinating picture of mobility among
various security and system administration jobs (with the exception
of auditing that seems to be more insular). The primary starting
points for people who want to work in security appear to be system
administration, network administration, and help desk analyst.
The Most Important Aspects of Job Satisfaction
Employers can affect job satisfaction for security and system
professionals in dozens of ways. The survey measured 25 of them.
Only five had a large impact:
Number 1:
Management that shows respect for and trust in your decisions
Tied for number 2:
Educational/training opportunity
Ability to work with and learn new, advanced technologies
Challenge of job/responsibility
Number 5:
Base pay
Among the lowest rated aspects were the reputation of the company,
availability of workout facilities, and stock options.